As the UK self-assessment and company tax system moves more towards digital reporting and enquiries, there has been an increase in the number of tax agents locked out of their HMRC accounts. Often due to “suspicious activity,” in this day and age, you would have thought the resetting of passwords would be relatively straightforward.
Unfortunately, this is not the case, with some agents waiting six weeks or longer to regain critical access to their agent accounts. While it is understandable that HMRC, the holder of highly confidential financial information, is a little more obsessive about security than most, it’s difficult to justify such delays and the obvious consequences.
How significant is the threat of unauthorised access?
To put this into context, an estimated 85,000 tax advisers with HMRC agent accounts service 12 million taxpayers. That is a lot of sensitive data!
In the 2022/23 tax year, HMRC reported:-
- 11.5 million self-assessment submissions
- 207,800 referrals of suspicious contact (up 14% from the previous 12 months)
- 79,000 of those referrals related to bogus tax rebates
- 26,443 malicious web pages were taken down by Internet providers (up 29%)
Many have been critical of a perceived lack of investment in cyber security (and broader IT spending), especially with HMRC pushing businesses and individuals towards digital submissions.
What happens when an agent is locked out?
A simple Google search will show you the growing number of tax agents, many of whom manage multiple client accounts, being locked out of their HMRC portal. Despite pushing companies and individuals towards the new digital era, warnings that accounts have been locked are often sent through the post. Many agents have also been informed that clients impacted by the freezing of their accounts will be informed.
It is easy to see the potential consequences whether locked out for days, weeks or, in some cases, months.
Disruption of services
Whether looking at individual or company tax filings, VAT, reporting, or simply managing tax affairs, even a matter of days with no access can significantly disrupt the services agents provide to clients.
Financial losses
Penalties and fines for missing submission dates, potential financial losses for companies and individuals, and the threat of compensation demands could leave many parties out of pocket. Even though lockout issues will eventually be resolved, it is unlikely to happen overnight!
Reputational damage
This is perhaps the greatest threat to tax agents, reputational damage often through no fault of their own and, in many cases, no reasons given by HMRC. Clients and other third parties may see this as unprofessional and incompetent, unaware of the details of the situation. As we know, it can take decades to build a reputation but a split second to lose it.
Legal and compliance risks
An extended lockout period by HMRC could see tax agents unable to fulfil their legal obligations to clients under tax laws and regulations. Bizarrely, this could prompt audits and HMRC investigations and potentially expose tax agents and their clients to legal risks. The knock-on effects can be huge!
Operational challenges
While there are HMRC helplines (although many are being closed at an alarming rate), lockout queries are often passed to the IT department with no timescale for resolution. Jumping through hoops, supplying additional paperwork and confirming security measures can take weeks and months in some cases. Is the HMRC resolution process fit for purpose?
Loss of access to data
As HMRC accounts are often the central storage platform for important client data, locked agent accounts could block access to critical financial information, impacting tax planning, compliance activities, and financial reporting.
Appreciating the many challenges tax agents face when locked out of their HMRC accounts is not difficult. When these challenges are identified in detail, the financial consequences and potential reputational damage become very real.
Rogue agents or simply criminals?
When discussing rogue agents, we are often talking about criminal gangs determined to gain access to company and individual tax accounts. While there are potential monetary benefits, in many cases it is the data which is invaluable in the wrong hands.
There are numerous ways rogue tax agents will gather data and attempt to access your accounts. These include:-
Phishing emails (and text messages)
We’ve all seen these rogue emails purporting to be from HMRC asking you to log into your account via a malicious link. Surely people don’t fall for these blatant and (in hindsight) obvious scams?
Often, by creating a sense of urgency, promising refunds, or threatening a fine, common sense is undermined. If in doubt, step back, take a breather, and take a fresh look at the situation.
Fake websites
It can take literally a few moments to clone any website, logos, text and the general look. Unfortunately, many individuals (not usually agents) fail to spot the rogue URLs or suspicious links, looking to log in as usual while each keypress is recorded.
Malware and spyware
The ease with which malware and spyware can be installed on a computer is frightening, and the amount of data they can harvest over a prolonged period is staggering. This highlights the need to keep your cyber security software up to date whether you are a sole trader or an accountancy firm.
Brute force attacks
You would be surprised at the number of people who use identical passwords across various accounts. Also, despite repeated warnings over the years, many common passwords, such as “123456,” are still in use. Does this ring any bells?
If you use the same passwords across multiple accounts, it only takes one data breach to fuel brute-force attacks by rogue agents seeking access to HMRC agent accounts.
Impersonating HMRC officials
Firstly, no HMRC official will ever ask for your full password or email address, whether on support channels, over the telephone or by email. If someone starts asking for confidential information, this should be the only red flag you need; it’s a scam.
Data breaches
As we have seen over the years, financial institutions are often the target of criminal gangs looking to steal client credentials. They may use these to commit identity theft or gain access to bank accounts and the HMRC portal. While companies are now under pressure to announce data breaches as soon as possible, there are often delays, and many people still fail to reset their passwords.
What’s the quickest way to regain access to your account?
For those locked out of their agent account, your first port of call will be the HMRC helpline. In a perfect world, you would explain the situation, and the call centre agent would give you a reason for the lockout. A quick password reset would have you back on track and on your way. If only this were the case.
Appreciative that HMRC has tens of millions of accounts to manage and protect, does unexplained “suspicious activity” really justify locking your account for days, weeks or even months. Cases of suspicious activity are routinely passed to the IT department with no timescale, details, or contact information. Even when your account is restored, you will likely be informed by post, which could take days.
While some agents will threaten legal action and demand compensation on behalf of clients, this won’t make a difference. Unfortunately, as with so many other areas of HMRC, until investment in IT increases in line with digital submission volumes (and broader digital services), tax agents, individuals, and companies will always be chasing their tails in this situation.
Summary
It’s essential to balance the need for security against critical access to not only agent tax accounts with HMRC but also individuals and companies. For many agents, the most significant concern is not the freezing of their account but the lack of background information, reasons why, and non-existent timescales for restoration. In the meantime, HMRC may advise clients that their agent’s account has been frozen, leading to more questions, concerns and pressure for agents.
While it may be possible to challenge fines and penalties received due to late submissions and missed payments, for many accountants and tax agents, the most concerning issue is reputational damage – something money can’t buy.
If you have concerns about unsolicited communications relating to your finances and private information, please feel free to contact us for clarification.